20:00:00 <nitzmahone> #startmeeting Ansible Windows Working Group
20:00:00 <zodbot> Meeting started Tue Feb 15 20:00:00 2022 UTC.
20:00:00 <zodbot> This meeting is logged and archived in a public location.
20:00:00 <zodbot> The chair is nitzmahone. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
20:00:00 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
20:00:00 <zodbot> The meeting name has been set to 'ansible_windows_working_group'
20:00:00 <zodbot> jborean93: Error: Can't start another meeting, one is in progress.
20:00:03 <nitzmahone> bam
20:00:05 <jborean93> darn you
20:00:10 <nitzmahone> ha
20:00:11 <briantist> hello
20:00:16 <nitzmahone> #info agenda https://github.com/ansible/community/issues/644
20:00:19 <nitzmahone> hey hey
20:00:52 <nitzmahone> Nothing new on the agenda, so
20:00:54 <nitzmahone> #topic open floor
20:01:17 <briantist> I haven't had much time to actually work on it, but looked at the ngrok thing you recommended nitzmahone
20:01:20 <nitzmahone> #info ansible-core milestone branch moved for 2.13 today
20:01:29 <nitzmahone> ah nice
20:01:37 <briantist> also found this which might be a little more direct for getting RDP: https://github.com/cationx/GitHub-Action-RDP
20:01:52 <briantist> but still, haven't had time to try any of it
20:02:07 <nitzmahone> Yeah, I assumed someone would eventually wrap it up into a nice action for RDP as well
20:02:19 <briantist> I should really clone that one locally, these repos keep getting wiped 😬
20:02:21 <nitzmahone> (that wasn't around last time I was poking at it)
20:02:25 <nitzmahone> exactly :D
20:03:17 <briantist> jborean93: I finally got around to looking at that CCG plugin for windows containers and comparing to my own code
20:03:39 <briantist> I got mine to the point where the server and client applications worked without crashing but no matter what I could not get it working with CCG directly
20:03:48 <briantist> I finally gave up on trying to do it in dotnetcore
20:04:11 <briantist> the POC you linked me to is full framework and it works well, so I think I will base a new project on full framework
20:04:25 <briantist> (a CCG plugin that gets its credential from HashiCorp Vault)
20:04:34 <nitzmahone> The security stuff is wonky enough in containers that it doesn't surprise me you ran into issues
20:04:40 <jborean93> bummer that you couldn't get it working further
20:04:51 <jborean93> but nice to know it at least stopped the crashes
20:05:10 <briantist> it's ok, this literally will only ever be run on Windows servers, so using full framework is fine
20:05:32 <briantist> nitzmahone: this part is well before containers are even part of it actually.. it's just OOP COM :-p
20:05:47 <jborean93> it's not like it would be workable on Linux anyway :)
20:05:49 <nitzmahone> Ah that thing
20:06:22 <briantist> but yeah, the prospect of being to run Windows container hosts that aren't domain joined, but can have the containers use a gMSA domain identity on the network, has me practically giddy
20:06:37 * nitzmahone resists the urge to wade back into COM wonkery
20:06:56 <briantist> autoscaling, ephemeral CI workers, even kubernetes (perish the thought, but some other folks will like it haha)
20:07:41 <nitzmahone> I still want a DC in a container. And where's my jet pack?
20:07:42 <briantist> not to mention a major web application we host runs in IIS as a gMSA.. this is an opportunity to containerize it..
20:07:46 <briantist> lol
20:07:55 <briantist> DC in a container, now that would be a neat trick
20:08:08 <jborean93> I've seen plenty of people beg for it
20:08:31 <jborean93> Could I interest you of running Samba in a container :)
20:08:36 <briantist> speaking of, not sure if you all remember, I was looking at deploying KDC proxies: https://syfuhs.net/kdc-proxy-for-remote-access
20:08:59 <nitzmahone> I just think back to when we used to run large Windows web apps and how many problems containers would've solved for us
20:09:07 <briantist> I'm looking for a way to have all krb5.confs out there to stop hardcoding DCs.. and that's the ticket (heh) I think
20:09:25 <briantist> I'm going to try to do a POC of the KDC proxy soon, maybe next week or something
20:09:36 <briantist> and I was thinking... does it _really_ need to be domain joined?
20:09:39 <jborean93> nice definitely interested in what you work out
20:09:47 <nitzmahone> Would be curious to know what kind of performance hit that causes, especially for things like Ansible that are, shall we say, already "inefficient" when it comes to kerb... ;)
20:09:58 <briantist> could my cluster of little KDC proxies behind a load balancer ACTUALLY be.... Windows containers with a gMSA identity?!?!
20:10:09 <nitzmahone> That would be pretty darn slick
20:10:10 <briantist> well , I will certainly find out!
20:10:28 <briantist> on the performance aspects as well
20:11:45 <briantist> in actual Ansible news (but not Windows related), I finally got some unit tests going for modules in my collection, it's really nice
20:11:56 <briantist> not replacing integration mind you, but supplementing it
20:12:19 <jborean93> nice, I think I ended up simplifying the collection loader I used in the ansible.windows unit tests
20:12:22 <nitzmahone> Nice- not a lot of people bother, but for most things it really does make sense to have both
20:12:22 <briantist> catching the stuff that's difficult in integration (certain exceptions, missing libraries, combinations of options that I can't test "live")
20:12:44 <nitzmahone> exactly (or that's way too slow to test all the different cases in-situ)
20:13:04 <briantist> adding units was HUGE for this collection, having it for modules too is really helpful
20:13:19 <nitzmahone> Things like input validation, it's kinda silly to do with a live remote modeul
20:13:26 <jborean93> ah that's right, now that `pip install -e ansible-core` works I no longer needed the hacks of setting PYTHONPATH and some other things
20:14:06 <briantist> collection is at a little over 97% coverage now.. should be higher once I test the deprecation code I stole from core since as is it doesn't show deprecations for lookups.. I thought it'd be more temporary than it was haha
20:14:32 <nitzmahone> impressive
20:14:37 <nitzmahone> that's tough to get
20:14:37 <jborean93> nice, makes the coverage of the windows collection abysmal :)
20:14:44 <briantist> nitzmahone: yeah exactly, most of this collection is passing parameters through to a library, being able to mock the library call and `assert_called_once_with()` is hugely powerful
20:18:30 <briantist> oh jborean93 I did see you tagged me on that win_reboot issue like I asked, thanks for that, haven't had a chance to look at it yet
20:19:28 <jborean93> no worries, I was annoying that registry hack I had in place to detect when a reboot was back wasn't fallproof but this is the only time I've seen it fail and it only happened periodically
20:19:39 <jborean93> At least waiting for it to come online is the same as what I did before
20:20:53 <briantist> I am curious if it will help me with a strange startup race condition thing I was seeing ~2 years ago that we only hit when we tried to change the servers from using static DNS servers to DHCP assigned DNS.. never could figure it out as our team disbanded right at that time (surprise reorg!)
20:21:14 <briantist> but I'm hoping to revisit that DNS project this year so we'll see...
20:21:41 <briantist> it's probably a longshot that it's related, but if I hit it again, I'll be looking for any lead
20:21:55 <nitzmahone> I'm still grouchy that WinRM starts as early as it does when it's generally not able to do much :(
20:22:28 <nitzmahone> (esp when there are updates in flight- seriously, this bug has been out there for years and nobody cares?)
20:23:07 <jborean93> I've found that registry key is pretty solid, this was the first time that I've seen it fail me and it only happened periodically
20:23:24 <nitzmahone> Yeah, that was an awesome find, just sucks that we have to do it at all
20:23:29 <jborean93> But yea, not having an official way to just wait until Windows is "ready" annoys me to no end
20:23:52 <briantist> in our case, this was some powershell running in the AWS startup script, so nothing remotely, it's just so weird.. we do offline domain join (inject the BLOB in userdata) to handle joining of ec2 instances... and it didn't work if we used DHCP for DNS... but everything we did to test DNS resolution before and after the join call, everything worked fine.. so weird.
20:24:09 <briantist> but yeah, there should be a much clearer sign of "readiness"
20:26:40 <nitzmahone> Yeah, I've hit similar issues there- might have something to do with some of the dance between the agent and the virtual NIC drivers... I'm curious if you still hit it with the newer agents- they definitely changed some nuances about when/how the user data script runs that we had to account for, but it also fixed some problems.
20:27:38 <nitzmahone> I don't remember when they switched the agents over, we've still got a mix because I think they didn't switch out the agents on 2012, maybe 2016 as well
20:27:43 <briantist> I thought at that time it was already the newer style agent.. but 2 years of pandemic brain... who knows anymore, hopefully next time I try it the problem is just gone 😬
20:28:14 <nitzmahone> yeah, my internal time-reference service is totally broken for anything the past 2 years or so
20:28:30 <briantist> yup
20:29:36 <nitzmahone> welp, anything else to kick around today?
20:29:47 <jborean93> I'm all good
20:30:11 <briantist> nothing else from me
20:30:40 <nitzmahone> Cool, til next week then. Thanks all! PS- I'm on PTO during this meeting next week, so Jordan's running the show :D
20:30:44 <nitzmahone> #endmeeting